Why would I ever use AES-256-CBC if AES-256-GCM is more secure?
CBC and GCM are quite different. Both are secure when used correctly, but CBC isn't as parallelizable and lacks built-in authentication. Due to this, CBC is only really practical for encrypting local files that don't need random access.
As for any advantages it might have, CBC doesn't fail as catastrophically if the IV is reused, and it can be faster if implemented on basic hardware.
As for GCM, it's basically GCM = CTR + Authentication (not CBC). It's fast and secure if used correctly, and very versatile, hence its popularity.
- CBC is older, which means more compatibility and just overall historical reasons.
- There are performance advantages, if you don't need GCM for authenticity. You often may want your own system for authenticity with some additional characteristics or you may not need it at all.
Big nitpick:
GCM = CBC + Authentication.
Nope, GCM = CTR + Authentication.
But in general you are right; CBC is an older mode that was invented back in the dark ages cryptographically speaking (no later than the 1970s), and is now disfavored because of the lack of built-in authentication and all the trouble that's been caused by padding oracles. One good practical example of this is that TLS 1.3 got rid of support for CBC.
GCM isn't a panacea either, however. It is strictly speaking correct, but has proven itself to be far from foolproof in practice:
- It fails spectacularly if you reuse a nonce. A single repeated nonce allows an adversary to recover its authentication subkey, plus to learn the XOR of the two messages with the same nonce.
- Its nonces are uncomfortably short (96 bits), which can be tricky to use with random nonces.
CBC doesn't have these problems. Random IVs work just fine (and are in fact required), and if you do repeat an IV you don't get catastrophic failure, you just leak information about equal plaintext prefixes.